MikroTik

ivanfm

There are a problem with passwords sent to radius in 6.45.1.

The problem is corrected in 6.45.2

ivanfm

RouterOS version 6.45.1 (2019-Jun-27 10:23) has broken RADIUS PAP auth!!! We have 500+ clients with Mikrotik devices and 27 june in our RADIUS server we see many errors from Mikrotik devices: Mon Jul 1 11:04:53 2019 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [XX-XX-FA-92-1...

ivanfm

Same problem with hotspot, opened ticket with support : #2019070222007151

ivanfm

Ditto on the recent Linux DOS vulnerabilities update - will Long-Term receive it and when. If not, please provide recommended Firewall filter rules. Thank you. The advisory linked to in the blog post suggest blocking TCP traffik with a low MSS, but doesn't mention what this "low MSS" is. So my gues...

ivanfm

Hey, Mikrotik team! Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped. It will be nice to have an option to set amount of ping to send before change status to down and at its frequency. ..and the possibility to set source address (e.g. remote ipsec hosts) ...

ivanfm

My home network is capsman based. I got 10 sonoff basic installed in the network without much problems.

I have used the "Compatible Pairing Mode (AP)" from the ewelink app on Android.
The "Quick Pairing mode (Touch)" which is the default mode does not worked.

ivanfm

Hello, I do have a simular problem: I want to implement a digest web authentification. The first step is to do a request to the server. The server will answer with 401 error but addional infos in the response. How to caputure the responce into a textfile or variable? Mikrotik scripting is not accep...

ivanfm

This things will be better when authentications like digest is implemented for fetch command because some new devices are not supporting more the basic authentication.

ivanfm

This javascript library has many functions for filter, sorting and formatting that can be usefull for this matrix : https://mottie.github.io/tablesorter/docs/ Please add the filter and sort2hash modules. This will make very easy to create views of this table and pass the links to "show" only a subse...

ivanfm

Hi Europe/Volgograd time zone is incorrect. should be GMT Offset +04:00 from October 28 It's not MiktoTik problem. All websites I can found show GMT +03:00 for Volgograd today, even Google. If +04:00 is true, it needs to be fixed in TimeZone Database, not in applications. This Volgograd change was ...

ivanfm

Bridge always worked that way and if suddenly bridge with inactive (no ports) will not have running flag, it will break all configurations with loopbacks and other configurations where bridge is used as dummy interface. In the migration from master to bridge you have break an always working configu...

ivanfm

I have posted repeatedly why this is unacceptable. To be honest, never saw such posts. Any links? Anyway, have you reported to support@mikrotik.com? I have found a single post about this : https://forum.mikrotik.com/viewtopic.php?f=21&t=123936&p=626322#p626322 It's a valid use case. But I agree wit...

ivanfm

After updating on all my devices I see such a picture. https://forum.mikrotik.com/download/file.php?mode=view&id=33580 https://forum.mikrotik.com/download/file.php?mode=view&id=33579 I have found this "setW60Gap" variable in one of my upgraded devices (751G-2HnD). I have not found any new variables...

ivanfm

coming to the router near you soon: $ host <serial>.sn.mynetname.net <serial>.sn.mynetname.net has address 192.168.88.1 <serial>.sn.mynetname.net has IPv6 address 2001:db8:1337:beef::ada Suggestion : add an option in cloud service to add an extra personal prefix. like "xyz" when user define persona...

ivanfm

Drop of RADIUS PAP support for ssh logins is a big problem for us too. We're using a one-time password implementation which is impossible to integrate with MS-CHAPv2 - the security appliance only stores the hash of the PIN (fixed part of the password) and because of this cannot support MS-CHAPv2 si...

ivanfm

*) backup - do not encrypt backup file unless password is provided; I like the current way it works the backup is encrypted with admin password. Please make an option to encrypt using current admin password like before, I don't want to have my backup unencrypted neither want to put a password in a s...

ivanfm

I also want to disable this automatic DHCP client.

I want my mikrotik in a fixed IP address to use the DMZ service on LTE modem.

The modem does not have option to specify fixed addresses neither has options to reduce the dhcp range.

ivanfm

Does 6.42.1 force SSH host key renewal on first login after the upgrade? The SSH host keys are changing on every router I upgrade and I want to rule out the unlikely MITM. A few of my devices have changed keys, many of them retained the old key. I did not find motive to rebuild key in some and not ...

ivanfm

That is true, yes. We have a nice article on how to make your device secure, I suggest everyone read it, as it contains most of the basics: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router normis some of the commands in this article works only in old versions. Like mac-server now uses an ...

ivanfm

will be nice an option to log only on error.

no messages when got and 200 response, but log for connection error or different status code.

ivanfm

My suggestions : ISODateTime - returns date/time in ISO format, great for saving backup files, that can be ordered, currently the ROS date used month as text. FlashPrefix - receive an filename and return it with /flash/ when the device has an /flash directory to keep saved files Function to keep onl...

ivanfm

You can always configure OpenDNS as your DNS server, either as the DNS for the router itself and then advertise the router address as DNS server in DHCP or by advertising the OpenDNS servers in DHCP, and then configure an OpenDNS account on your internet address with the settings you like. You do n...

ivanfm

Is there a way to just disable the backup when doing reset by button ?

The reset can be made, we just don't want the previous configuration to be preserved in any place.
This will be safer for vpn passwords and other private data.

ivanfm

/ip firewall filter # ensure this is at the top of the rule list add action=accept chain=input comment="allow admin access to router from authorized clients" dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp Will be very nice if mikrotik add to the dst-address-type an other option like "...

ivanfm

Configure your hotspot to use radius.

In your radius server you can decide which users can be logged or not.

There are many mini radius servers that can be used to make this happens with small adjustments.

ivanfm

Standard users does not understand 2.4G and 5G, but they can understand that network XX-2.4G are better in some places of the house than the XX-5G. When I had used same ssid for two networks was very difficult to troubleshot remotely. Using different ssid make easier even for non technical users to ...

ivanfm

+1

I think we should have two options :

1. Just send the request following the radius order
2. Send the request for one specific radius server

ivanfm

What's new in 6.41rc50 (2017-Oct-30 10:13):
*) radius - limited RADIUS timeout maximum value to 3 seconds;
do not do this, our system on average 1~5 seconds to process the radius package
please leave this field customizable

We also have to use 5 seconds.

ivanfm

For ppp you should enable ipv6 in the ppp profile selected in the ppp connection.

Look this :

https://wiki.mikrotik.com/wiki/3G_confi ... with_Tele2
https://wiki.mikrotik.com/wiki/Manual:P ... r_Profiles

If your provider gives PD you should configure PD.

ivanfm

brunoeco do you know if this modem works with ipv6 ?

Thanks

ivanfm

There are many tutorials in the wiki showing how to make VPN using mikrotik. https://wiki.mikrotik.com/wiki/Category:VPN https://wiki.mikrotik.com/wiki/Tunnels You could use an standard linux or an Mikrotik CHR at AWS . For best performance try to use ipsec To work from any place the sstp is the bes...

ivanfm

In some places the providers are giving only the CGNAT addresses, you can try to change operator. I use TIM and got valid IPV4 address, and IPv6 (São Paulo). Another solution which I use to keep access and to be away from port blocking is to create a VPN from the router to a place where you have an ...

ivanfm

Updated some devices :

RouterBOARD wAP 2nD r2 : all configuration was lost, the device had to be reconfigured from scratch.
RB951 and 751 : without trouble.

ivanfm

Maybe that's how it happens, but it's not the best way. Maybe that's why I'm having multiple domains of google released incorrectly. Today, HTTPS requests use TLS and browsers support SNI existem, in which the name of the server is sent. Https://en.wikipedia.org/wiki/Server_Name_Indication Can you ...

ivanfm

Hi, anyone has tried to use the mikrotik socks service via IPV6 ? I have the service enabled, it accept connections on ipv4, but I got connection refused when trying to connect via ipv6 address. The firewall is correct and connections are enabled. I want to use the socks service to make some IPV4 se...

ivanfm

Thanks for all the info! ;) I have an good offer for RB951G-2HnD, which should be used as router (for some time, later changed for RB750Gr3 probably), RB751U-2HnD also used but great price. Connected by Ethernet together and where needed I will buy mAP/cAP/hAP/*lite and decrease power for RB951/RB7...

ivanfm

Same Issue - ZTE MF823L modem, sim unlocked, works fine direct on a linux machine as an ethernet device. Detected correctly in mAP 2n ----------------- routerboard: yes model: RouterBOARD mAP 2n firmware-type: ar9330L factory-firmware: 3.17 current-firmware: 3.24 upgrade-firmware: 3.24 -------------...

ivanfm

If two names with different rules resolve to the same IP, then what do you expect the Mikrotik to do?

Considering that it connect check inside the https , it should permit both names, because the IP is permitted.

ivanfm

Create your SSTP VPN as documented here : http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP on client add static ip on the interface and the route /ipv6 address add interface=CLIENT_VPN_INTERFACE address=CLIENT_IPV6_ADDRESS advertise=no /ipv6 route add dst-address=THE_ADRESSESS_TO_ROUTE gateway=CL...

ivanfm

I known it will be phase out, but the official client does not support in Android and Windows, this can be a big problem how we can have a very secure server if most of clients connect to it.

ivanfm

I was testing the wireless scan and found a problem. using version 6.37.1 After doing wireless scan : /interface wireless scan wlan1 duration=10s save-file=wireless-scan the device stops broadcasting the SSID, if I disable/enable the wlan1 on webfig interface it returns, or if I just enable by comma...

ivanfm

I'm using IPV6 on SSTP VPN with mikrotik.

The server does not pull the address for client, but if you configure static address and routes the ipv6 traffic goes fine.

Will be very nice if mikrotik get the IP from radius and pull to the client.

ivanfm

According to the docs http://wiki.mikrotik.com/wiki/Manual:System/Certificates "All certificate fingerprints are SHA1. Starting from v6.18 sha256 is used for certificate fingerprints and hashes" I'm using internal generated certificates with openvpn, and the "OpenVPN Connect" client does not support...

ivanfm

I understand that mikrotik cannot lookup inside the packets to see the real request destination by Host header. But the hotspot code can have an option to check the DNS resolutions (yes All DNS resolutions are being made by the mikrotik) and when there are an resolution for a name in walled garden f...

ivanfm

I have found this problem in my tests with version 6.36 and 6.37. What I have discovered (replaced original domains ) : http://www.xyz.com works https://www.xyz.com does not work the walled garden have the www.xyz.com host with allow entry. Currently the www.xyz.com is not an A record in DNS but an ...

ivanfm

I have upgraded from 5.25 to 6.1.
After upgrade I cannot login using web interface using Chrome 27.0.1453.110(Linux).

I got the message "ERROR: Internal Server Error"

I can connect to web interface using firefox, and I can connect using ssh.

Search found 46 matches